An EU age verification app has sparked controversy after cybersecurity experts discovered multiple vulnerabilities. The system, which claimed to be "technically complete" and met the "highest privacy standards," was breached in less than two minutes. Security consultant Paul Moore was the first to point out the vulnerability. After studying the application's open source code, he demonstrated in a video how to bypass the protection.
The key vulnerability is that the encrypted PIN code is only stored locally on the device and is not reliably bound to the identity storage area. An attacker can simply delete a few system service files to reset old PINs, set new passwords, and gain full access to previously authenticated identity data. In addition, settings were found in the configuration file that allow turning off biometric authentication (changing the parameter value from "true" to "false") and resetting the number of PIN entry attempts. Moore noted that these operations require no complex tools and can be completed in minutes.
What's really shocking is that the app stores "raw" biometric data and selfie photos in an unencrypted form on the user's device. Contrary to the European Commission's statements regarding the confidentiality and anonymity of the process, these files were never automatically deleted by the system. It was subsequently confirmed that the above-mentioned problem did not appear in the test sample, but existed in the final version of the software available for download.
Commenting on the situation, the European Commission acknowledged shortcomings but dismissed accusations of incompetence. Official representatives said the app is still in the refinement stage and the current version is not intended for actual deployment. They promise that all discovered vulnerabilities will be fixed in the near future, and the final product version will be released at a later date.